The ICO exists to empower you through information.

In detail

Why have you produced this guidance?

This guidance explains how data protection law applies when you use biometric data in biometric recognition systems. Read it to understand the law and our recommendations for good practice.

Who is it for?

This guidance is primarily for organisations that use or are considering using biometric recognition systems. It is also for providers of these systems (this could include vendors and developers). It therefore applies to controllers, processors and relevant third parties.

What does it cover?

This guidance looks at the definition of biometric data under the UK GDPR. It also focuses on biometric recognition uses and explains how these involve processing special category biometric data.

This guidance covers:

  • what biometric data is;
  • when it is considered special category data;
  • its use in biometric recognition systems; and
  • the data protection requirements you need to comply with.

What doesn’t it cover?

This guidance does not cover requirements of the data protection regimes for law enforcement purposes or the security services. However, some of the principles explained in this guidance are relevant to these regimes too.

This guidance is intended to highlight the considerations you should give to biometric data when you use biometric recognition systems. It is not intended to be a comprehensive guide to compliance. Where this guidance refers to principles already addressed in our other guidance, we provide links to the relevant further reading.

This guidance does not cover the use of biometric classification or categorisation systems. These systems make inferences about people based on observable characteristics and will be addressed in the next phase of our biometric technologies project through separate guidance. We will publish this guidance by the end of 2024.

This guidance also does not consider future changes to data protection legislation. We will update this guidance where necessary in response to any future changes to data protection law.

How should we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations mustshould, and could do to comply.

Legislative requirements

  • Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.​​​​​​​